generated from camaraproject/Template_API_Repository
-
Notifications
You must be signed in to change notification settings - Fork 10
/
kyc-match.yaml
585 lines (490 loc) · 27.4 KB
/
kyc-match.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
openapi: 3.0.3
info:
title: Know Your Customer Match
description: |
This API provides the customer with the ability to compare the information it (Service Provider, SP) has for a particular mobile phone user with that on file (and verified) by the mobile phone user's Operator in their own KYC records, in order for the SP to confirm the accuracy of the information and provide a specific service to the mobile phone user.
## Relevant Definitions and concepts
* **KYC**: stands for Know Your Customer and it is the process of a business verifying the identity of their clients and assessing their suitability, along with the potential risks of illegal intentions towards the business relationship.
* **Match Score**: a numerical value that quantifies the similarity between two pieces of text based on the words they contain. This score is often used in various applications like text comparison, plagiarism detection, information retrieval, and natural language processing. The score typically reflects how well the words in one text match the words in another text. In the context of this API, this score will be used to determine how much does the input information looks like the information stored in the Operator's system. Unless otherwise captured in the specification, score will use the Jaro-Winkler distance algorithm for all countries. This parameter, as optional, will be returned depending on the capability of the Operator to calculate the scoring value. This means that not all Operators will implement this functionality or won't have the requested parameter available. It can happen that an Operator implements the score functionality but, for whatever reason, is not able to calculate it based on the client's input or the related stored information. For these cases, the score property related won't be returned in the response.
The range of score values is between "0" and "100", where higher scores indicate a higher similarity between the two compared parameters.
## API Functionality
This API allows API clients to verify the matching of a number of attributes related to a customer identity against the account data bound to their phone number. The API is intended to be used in the following scenarios, for example:
* To verify the user personal data during the digital registration of an account to a 3rd party service.
* To prevent fraud, wrong or imprecise information, and/or facilitate the onboarding of a mobile phone user to a 3rd party service.
The API supports a multi-level hierarchy of property validation. In addition to the initial verification of the `phoneNumber`, an additional `idDocument` validation may occur based on different Operator requirements. This means that, in those cases, if the value of `idDocument` is not provided or it does not match the one bound to the specific phone number in the Operator systems, the operation will return an error.
The following figure is the generic high-level flows of this API.
<img width="848" alt="KYC_Match_flow" src="https://raw.githubusercontent.com/camaraproject/KnowYourCustomer/main/documentation/API_documentation/assets/kyc-match_flow.png">
Note:
* Before calling this API, 3rd parties / enterprise customers who want to use this API should make contact with API provider/ MNO for use of this API. As that will depend on each API provider / MNO's business process as well as GSMA Open Gateway standard process, it is out of scope of this API definition.
* When calling this API, at the beginning, there should be required processes for Authentication / Authorisation / End User Consent capturing. As those processes are defined as CAMARA commonality standards, they are out of scope of this API definition, however, use of the OpenID Connect (OIDC) is stated as security scheme.
## Resources and Operations overview
The API provides the following endpoint:
* An endpoint to verify the matching of a number of attributes related to a mobile phone user identity against the account data bound to their phone number.
## Authorization and authentication
The "Camara Security and Interoperability Profile" provides details on how a client requests an access token. Please refer to Identify and Consent Management (https://github.com/camaraproject/IdentityAndConsentManagement/) for the released version of the Profile.
Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation.
It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control.
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0.html
version: 0.2.1
x-camara-commonalities: 0.4.0
servers:
- url: '{apiRoot}/kyc-match/v0.2'
variables:
apiRoot:
default: http://localhost:9091
description: API root, defined by the service provider, e.g. `api.example.com` or `api.example.com/somepath`
tags:
- name: Match
description: Operations to match a customer identity against the account data bound to their phone number.
paths:
/match:
post:
tags:
- Match
summary: Matching a customer identity by checking a set of attributes related against the account data bound to their phone number.
description: |-
Verify matching of a number of attributes related to a customer identity against the verified data bound to their phone number in the Operator systems. Regardless of whether the `phoneNumber` is explicitly stated in the request body, at least one of the other fields must be provided, otherwise a `HTTP 400 - KNOW_YOUR_CUSTOMER.INVALID_PARAM_COMBINATION` error will be returned.
In order to proceed with the match check, some Operators may have the requirement to perform an additional level of validation based on the `idDocument` property. This means that, in those cases, the `idDocument` is required and the provided value needs to match the one stored in the Operator system associated with the indicated `phoneNumber`. This validation will be done before proceeding with the match check of the rest of the properties. The following two rules apply only in the cases where the Operator have the requirement to validate the `idDocument`:
- If no `idDocument` is provided, then a `HTTP 403 - KNOW_YOUR_CUSTOMER.ID_DOCUMENT_REQUIRED` error will be returned.
- If the provided `idDocument` does not match the one stored in the Operator systems, then a `HTTP 403 - KNOW_YOUR_CUSTOMER.ID_DOCUMENT_MISMATCH` error will be returned.
- There is a corner case where the Operator requires the `idDocument` to perform the match validation for the rest of the properties, but it also needs to be able to perform the validation only for the `idDocument` itself. In this case, if only the `idDocument` is provided along with the phoneNumber (either in the request body or extracted from the access token) then the match will be performed as with any other attribute and the response will contain the result of the match operation.
The API will return the result of the matching process for each requested attribute. This means that the response will **only** contain the attributes for which validation has been requested. Possible values are:
- **true**: the attribute provided matches with the one in the Operator systems.
- **false**: the attribute provided does not match with the one in the Operator systems.
- **not_available**: the attribute is not available to validate.
operationId: KYC_Match
security:
- openId:
- kyc-match:match
parameters:
- $ref: '#/components/parameters/x-correlator'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/KYC_MatchRequestBody'
examples:
KYC_MatchRequestBodyExample:
value:
phoneNumber: '+34629255833'
idDocument: 66666666q
name: Federica Sanchez Arjona
givenName: Federica
familyName: Sanchez Arjona
nameKanaHankaku: federica
nameKanaZenkaku: Federica
middleNames: Sanchez
familyNameAtBirth: YYYY
address: Tokyo-to Chiyoda-ku Iidabashi 3-10-10
streetName: Nicolas Salmeron
streetNumber: 4
postalCode: 1028460
region: Tokyo
locality: ZZZZ
country: JP
houseNumberExtension: VVVV
birthdate: '1978-08-22'
email: abc@example.com
gender: MALE
responses:
'200':
description: OK
headers:
x-correlator:
$ref: '#/components/headers/x-correlator'
content:
application/json:
schema:
$ref: '#/components/schemas/KYC_MatchResponse'
examples:
KYC_Match200Example:
value:
idDocumentMatch: 'true'
nameMatch: 'true'
givenNameMatch: 'not_available'
familyNameMatch: 'not_available'
nameKanaHankakuMatch: 'true'
nameKanaZenkakuMatch: 'false'
middleNamesMatch: 'true'
familyNameAtBirthMatch: 'false'
familyNameAtBirthMatchScore: 90
addressMatch: 'true'
streetNameMatch: 'true'
streetNumberMatch: 'true'
postalCodeMatch: 'true'
regionMatch: 'true'
localityMatch: 'not_available'
countryMatch: 'true'
houseNumberExtensionMatch: 'not_available'
birthdateMatch: 'false'
emailMatch: 'false'
emailMatchScore: 87
genderMatch: 'false'
'400':
$ref: '#/components/responses/Generic400'
'401':
$ref: '#/components/responses/Generic401'
'403':
$ref: '#/components/responses/Generic403'
'404':
$ref: '#/components/responses/Generic404'
'500':
$ref: '#/components/responses/Generic500'
'503':
$ref: '#/components/responses/Generic503'
'504':
$ref: '#/components/responses/Generic504'
components:
securitySchemes:
openId:
type: openIdConnect
openIdConnectUrl: https://example.com/.well-known/openid-configuration
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
parameters:
x-correlator:
name: x-correlator
in: header
description: Correlation id for the different services
schema:
type: string
schemas:
KYC_MatchRequestBody:
type: object
description: Payload to validate the customer data.
properties:
phoneNumber:
type: string
description: A public identifier addressing a telephone subscription. In mobile networks it corresponds to the MSISDN (Mobile Station International Subscriber Directory Number). In order to be globally unique it has to be formatted in international format, according to E.164 standard, prefixed with '+'.
idDocument:
type: string
description: Id number associated to the official identity document in the country. It may contain alphanumeric characters.
name:
type: string
description: Complete name of the customer, usually composed of first/given name and last/family/sur- name in a country. Depending on the country, the order of first/give name and last/family/sur- name varies, and middle name could be included. It can use givenName, middleNames, familyName and/or familyNameAtBirth. For example, in ESP, name+familyName; in NLD, it can be name+middleNames+familyName or name+middleNames+familyNameAtBirth, etc.
givenName:
type: string
description: First/given name or compound first/given name of the customer.
familyName:
type: string
description: Last name, family name, or surname of the customer.
nameKanaHankaku:
type: string
description: Complete name of the customer in Hankaku-Kana format (reading of name) for Japan.
nameKanaZenkaku:
type: string
description: Complete name of the customer in Zenkaku-Kana format (reading of name) for Japan.
middleNames:
type: string
description: Middle name/s of the customer.
familyNameAtBirth:
type: string
description: Last/family/sur- name at birth of the customer.
address:
type: string
description: Complete address of the customer. For some countries, it is built following the usual concatenation of parameters in a country, but for other countries, this is not the case. For some countries, it can use streetName, streetNumber and/or houseNumberExtension. For example, in ESP, streetName+streetNumber; in NLD, it can be streetName+streetNumber or streetName+streetNumber+houseNumberExtension.
streetName:
type: string
description: Name of the street of the customer's address. It should not include the type of the street.
streetNumber:
type: string
description: The street number of the customer's address. Number identifying a specific property on the 'streetName'.
postalCode:
type: string
description: Zip code or postal code
region:
type: string
description: Region/prefecture of the customer's address
locality:
type: string
description: Locality of the customer's address
country:
type: string
description: Country of the customer's address. Format ISO 3166-1 alpha-2
houseNumberExtension:
type: string
description: Specific identifier of the house needed depending on the property type. For example, number of apartment in an apartment building.
birthdate:
type: string
description: The birthdate of the customer, in ISO 8601 calendar date format (YYYY-MM-DD).
email:
type: string
description: Email address of the customer in the RFC specified format (local-part@domain).
gender:
type: string
description: Gender of the customer (Male/Female/Other).
enum:
- MALE
- FEMALE
- OTHER
MatchResult:
type: string
enum:
- 'true'
- 'false'
- 'not_available'
MatchScoreResult:
type: integer
description: Indicates the similarity score assigned to the input value when it does not exactly match the value stored in the operator's system. This property shall only be returned when the value of the corresponding match field is `false`.
minimum: 0
maximum: 100
KYC_MatchResponse:
type: object
properties:
idDocumentMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether Id number associated to the ID document of the customer matches with the one on the Operator's system.
nameMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the complete name of the customer matches with the one on the Operator's system.
nameMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
givenNameMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether First name/given name of the customer matches with the one on the Operator's system.
givenNameMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
familyNameMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether last name/ family name/ surname of the customer matches with the one on the Operator's system.
familyNameMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
nameKanaHankakuMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether complete name of the customer in Hankaku-Kana format (reading of name) for Japan matches with the one on the Operator's system.
nameKanaHankakuMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
nameKanaZenkakuMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether complete name of the customer in Zenkaku-Kana format (reading of name) for Japan matches with the one on the Operator's system.
nameKanaZenkakuMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
middleNamesMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the middle names of the customer matches with the one on the Operator's system.
middleNamesScore:
$ref: '#/components/schemas/MatchScoreResult'
familyNameAtBirthMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the Family Name At Birth of the customer matches with the one on the Operator's system.
familyNameAtBirthMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
addressMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether complete address of the customer matches with the one on the Operator's system.
addressMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
streetNameMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the street name of the customer matches with the one on the Operator's system.
streetNameMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
streetNumberMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the street number of the customer matches with the one on the Operator's system.
streetNumberMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
postalCodeMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the postal code / zip code of the customer matches with the one on the Operator's system.
regionMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the region of the customer's address matches with the one on the Operator's system.
regionMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
localityMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the locality of the customer's address matches with the one on the Operator's system.
localityMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
countryMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the country of the customer's address matches with the one on the Operator's system.
houseNumberExtensionMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the house number extension of the customer's address with the one on the Operator's system.
birthdateMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the birthdate of the customer matches with the one on the Operator's system.
emailMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the email address of the customer matches with the one on the Operator's system.
emailMatchScore:
$ref: '#/components/schemas/MatchScoreResult'
genderMatch:
allOf:
- $ref: '#/components/schemas/MatchResult'
- description: Indicates whether the gender of the customer matches with the one on the Operator's system.
ErrorInfo:
type: object
required:
- status
- code
- message
properties:
status:
type: integer
description: HTTP response status code
code:
type: string
description: Code given to this error
message:
type: string
description: Detailed error description
responses:
Generic400:
description: |-
Problem with the client request.
In addition to regular scenario of `INVALID_ARGUMENT`, another scenario may exist.
- Indicated param combination is invalid (`"code": "KNOW_YOUR_CUSTOMER.INVALID_PARAM_COMBINATION","message": "Indicated parameter combination is invalid"`)
headers:
x-correlator:
$ref: '#/components/headers/x-correlator'
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
examples:
InvalidArgument:
value:
status: 400
code: INVALID_ARGUMENT
message: Client specified an invalid argument, request body or query param
InvalidParamCombination:
value:
status: 400
code: KNOW_YOUR_CUSTOMER.INVALID_PARAM_COMBINATION
message: Indicated parameter combination is invalid
Generic401:
description: Authentication problem with the client request. Unauthorized error. Access Token related errors.
headers:
x-correlator:
$ref: '#/components/headers/x-correlator'
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
examples:
Unauthenticated:
value:
status: 401
code: UNAUTHENTICATED
message: Request not authenticated due to missing, invalid, or expired credentials
Generic403:
description: |
Client does not have sufficient permission.
In addition to regular scenario of `PERMISSION_DENIED`, another scenarios may exist:
- Phone number cannot be deducted from access token context.(`{"code": "INVALID_TOKEN_CONTEXT","message": "Phone number mismatch with access token context"}`)
- The idDocument property is missing.(`{"code": "KNOW_YOUR_CUSTOMER.ID_DOCUMENT_REQUIRED","message": "The idDocument is required to perform the properties validation"}`)
- The idDocument does not match the one associated to the provided phoneNumber in the Operator's system.(`{"code": "KNOW_YOUR_CUSTOMER.ID_DOCUMENT_MISMATCH","message": "The idDocument needs to match the one associated with the provided phoneNumber"}`)
headers:
x-correlator:
$ref: '#/components/headers/x-correlator'
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
examples:
PermissionDenied:
value:
status: 403
code: PERMISSION_DENIED
message: Client does not have sufficient permissions to perform this action
InvalidTokenContext:
value:
status: 403
code: INVALID_TOKEN_CONTEXT
message: Phone number mismatch with access token context
IdDocumentRequired:
value:
status: 403
code: KNOW_YOUR_CUSTOMER.ID_DOCUMENT_REQUIRED
message: The idDocument is required to perform the properties validation
IdDocumentMismatch:
value:
status: 403
code: KNOW_YOUR_CUSTOMER.ID_DOCUMENT_MISMATCH
message: The idDocument needs to match the one associated with the provided phoneNumber
Generic404:
description: |
Not Found error. Error if URL is wrong / user is not found.
headers:
x-correlator:
$ref: '#/components/headers/x-correlator'
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
examples:
NotFound:
value:
status: 404
code: NOT_FOUND
message: not_found_contractor/not_found
Generic500:
description: Server error. Problem with MNO's server side. Some processing error within MNO's servers.
headers:
x-correlator:
$ref: '#/components/headers/x-correlator'
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
examples:
ServerError:
value:
status: 500
code: INTERNAL
message: Server error
Generic503:
description: Service unavailable. Typically the server is down. Problem with MNO's server side. Any unexpected error within MNO's servers.
headers:
x-correlator:
$ref: '#/components/headers/x-correlator'
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
examples:
ServiceUnavailable:
value:
status: 503
code: UNAVAILABLE
message: Service unavailable
Generic504:
description: Request time exceeded. If it happens repeatedly, consider reducing the request complexity
headers:
x-correlator:
$ref: '#/components/headers/x-correlator'
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
example:
status: 504
code: TIMEOUT
message: Request timeout exceeded. Try later.